Infoblox Threat Intel

Revolver Rabbit is a DNS threat actor that created over 500,000 domains using a registered domain generation algorithm (RDGA) between February 2022 and July 2024. These domains were used as decoy and C2 domains for XLoader (aka FormBook) malware often used to steal user credentials. The domains cost an estimated $1M in registration fees, indicating that Revolver Rabbit’s cybercriminal activities are highly profitable. Infoblox has monitored the actor’s infrastructure since September 2023 detecting new domains as they emerge, but it took months to link the infrastructure directly to malware.

• Operating since: At least February 2022
• Infoblox discovered: March 2023
• Infoblox published: July 2024
• Prevalence: Uncommon